Scribd
Upload
10 views

Best Practices Guide

The document outlines best practices for configuring network devices, including access and trunk ports, spanning tree protocol (STP), VLANs, VTP, and various routing protocols (OSPF, EIGRP, BGP). It also covers general hardening commands, logging, SSH configuration, and AAA settings for enhanced security. Additionally, it emphasizes the importance of disabling unused services and managing passwords effectively.

Uploaded by

katharprashant12
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
10 views

Best Practices Guide

The document outlines best practices for configuring network devices, including access and trunk ports, spanning tree protocol (STP), VLANs, VTP, and various routing protocols (OSPF, EIGRP, BGP). It also covers general hardening commands, logging, SSH configuration, and AAA settings for enhanced security. Additionally, it emphasizes the importance of disabling unused services and managing passwords effectively.

Uploaded by

katharprashant12
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Best Practices Guide

1) For Access/Edge/end Ports

interface g1/0/1
switchport mode access
switchport access vlan x
switchport nonegotiate
switchport port-security maximum 1
switchport port-security
switchport port-security aging time 10
spanning-tree portfast edge
spanning-tree bpdugard enable
spanning-tree guard root
storm-control broadcast level 20.00
storm-control multicast level 20
storm-control action trap
no cdp enable

2) For Access/Edge/end Ports with IP Phones

interface g1/0/1
switchport mode access
switchport access vlan x
switchport nonegotiate
switchport voice vlan y
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 10
spanning-tree portfast edge
spanning-tree bpdugard enable
spanning-tree guard root
storm-control broadcast level 20.00
storm-control multicast level 20
storm-control action trap
no cdp enable

3) For trunk ports to Switches

interface g1/0/1
switchport mode trunk
switchport trunk allowed vlan x, y
switchport trunk native vlan z ---- (Z must be an unused VLAN)
switchport nonegotiate
storm-control broadcast level 20.00
storm-control action trap
no cdp enable
4) For trunk ports to device like Firewalls, routers, Load-balancers who don’t send BPDU.

interface g1/0/1
switchport mode trunk
switchport trunk allowed vlan x, y
switchport trunk native vlan z ---- (Z must be an unused VLAN)
switchport nonegotiate
spanning-tree portfast edge trunk
storm-control broadcast level 20.00
storm-control action trap
no cdp enable

5) STP

spanning-tree mode rapid-pvst


spanning-tree pathcost method long

Primary Root sw : spanning-tree vlan x,y priority 4096


Secondary Root sw : spanning-tree vlan x,y priority 8192

6) VLANs

vlan 100
name Server-VLAN

vlan 500
name Unused-VLAN

vlan 501
name Native-VLAN

7) VTP

In IOS:
vtp mode transparent
vtp ___domain abc

In NX-OS:
no feature vtp

8) UDLD on fiber links

Global level: udld aggressive


Interface level: udld port aggressive
9) L3 Links

interface g1/0/1
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable

interface vlan 10
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable

interface port-channel 10 -(L3 PO)


no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable

interface loopback10
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable

10) HSRP

a) Make sure that HSRP active device is also STP root


b) Enable HSRP authentication
c) Use VLAN number as HSRP grp number for easier administration

IOS:
key chain HSRP
key 1
key-string abcd@1234

interface g0/0
standby version 2
standby 5 ip 10.1.5.1
standby 5 timers 1 4
standby 5 priority 105
standby 5 preempt
standby 5 authentication md5 key-chain HSRP

interface vlan 5
standby version 2
standby 5 ip 10.1.5.1
standby 5 timers 1 4
standby 5 priority 105
standby 5 preempt
standby 5 authentication md5 key-chain HSRP

NX-OS:
key chain HSRP
key 1
key-string abcd@1234

interface g0/0
hsrp version 2
hsrp 5
ip 10.1.5.1
timers 1 4
priority 105
preempt
authentication md5 key-chain HSRP

interface vlan 5
standby version 2
standby 5 ip 10.1.5.1
standby 5 timers 1 4
standby 5 priority 105
standby 5 preempt
standby 5 authentication md5 key-chain HSRP

11) OSPF

int loopback 10
desc *** OSPF Router-ID ***
ip add a.b.c.d 255.255.255.255

router ospf 10
router-id a.b.c.d
passive-interface g0/0 – interface on which neighborship is not required.

int g0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 3 abcd@1234 – NX-OS
or
ip ospf message-digest-key 1 md5 abcd@1234 – IOS
12) EIGRP

int loopback 10
desc *** EIGRP Router-ID ***
ip add a.b.c.d 255.255.255.255

router eigrp 10
router-id a.b.c.d
passive-interface g0/0 – interface on which neighborship is not required.

key chain EIGRP


key 1
key-string abcd@1234

int g0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 EIGRP
ip hello-interval eigrp 10 1
ip hold-time eigrp 10 3

13) BGP

int loopback 10
desc *** BGP Router-ID ***
ip add a.b.c.d 255.255.255.255

router bgp 10
router-id a.b.c.d
bgp log-neighbor-changes
neighbor a.b.c.d description *******
neighbor a.b.c.d password 7 xyz@1234
neighbor a.b.c.d timers 1 3 -- for LAN links
or
neighbor a.b.c.d timers 15 20 – for WAN links

14) General Hardening commands

a) Banner
banner login ^CC
*******************************************************************
*****
>>>>>>>>>>>>>>> ATTENTION <<<<<<<<<<<<<<<<

Authorized access only!


Disconnect IMMEDIATELY if you are not an authorized user!
It is being monitored and events recorded as logs continuously.
If during the course of monitoring or otherwise, it is found that
the system is being used by personnel in violation of the provision
of authority or without authority, it will be deemed unlawful under
the court of law of Government of India.

In such an event, he or she may be subjected to legal proceedings,


unilaterally decided by MULTI COMMODITY EXCHANGE OF
INDIA LIMITED IT GROUP in the Indian court of Law.
The logs generated in such cases, but not limited to,
will be used as evidence in the court of law."
*******************************************************************
*****
^C

b) VTY acl

ip access-list standard ssh-access


permit a.b.c.d
permit a.b.c.e

c) Exec, VTY and console timeouts

line con 0
session-timeout 5
exec-timeout 5 0
logging synchronous

line vty 0 4
session-timeout 5
access-class ssh-access in
exec-timeout 5 0
logging synchronous
transport input ssh

line aux 0
no exec
transport output none

d) NTP and IST timezone

ntp server x.x.x.x


ntp source mgmt0
clock timezone IST 5 30
e) Logging

no logging console
logging buffered informational
Logging trap debugging
logging x.x.x.x use-vrf default or management
logging source-interface mgmt0
logging timestamp milliseconds
f) Enabling SSH

ip ___domain-name abc.in
crypto key generate rsa general-keys modulus 2048
ip ssh time-out 60
ip ssh version 2

g) CPU threshold notification

process cpu threshold type total rising 80 interval 5 falling 20 interval 5

h) SNMP

Configure SNMP v3
Confiure SNMP ACL

i) Configuration Replace and Configuration Rollback

archive
path disk0:archived-config
maximum 14
time-period 1440
write-memory

j) Configuration Change Notification and Logging

archive
log config
logging enable
logging size 200
hidekeys
notify syslog

k) AAA

tacacs server DCISE01


address ipv4 a.b.c.d
key ghij@1234
tacacs server DRISE01
address ipv4 a.b.c.e
key ghij@1234
aaa new-model
!
!
aaa group server tacacs+ INNITIAAA
server name DCISE01
server name DRISE01
!
aaa authentication login INNITI group INNITIAAA local
aaa authorization console
aaa authorization config-commands
aaa authorization exec INNITI group INNITIAAA local
aaa authorization commands 0 INNITI group INNITIAAA local
aaa authorization commands 1 INNITI group INNITIAAA local
aaa authorization commands 15 INNITI group INNITIAAA local
aaa accounting exec INNITI start-stop group INNITIAAA
aaa accounting commands 0 INNITI start-stop group INNITIAAA
aaa accounting commands 1 INNITI start-stop group INNITIAAA
aaa accounting commands 15 INNITI start-stop group INNITIAAA
aaa accounting connection INNITI start-stop group INNITIAAA
aaa session-id common

line con 0
login authentication INNITI
authorization commands 0 INNITI
authorization commands 1 INNITI
authorization commands 15 INNITI
authorization exec INNITI
accounting exec INNITI
accounting commands 0 INNITI
accounting commands 1 INNITI
accounting commands 15 INNITI

line vty 0 4
login authentication INNITI
authorization commands 0 INNITI
authorization commands 1 INNITI
authorization commands 15 INNITI
authorization exec INNITI
accounting exec INNITI
accounting commands 0 INNITI
accounting commands 1 INNITI
accounting commands 15 INNITI
accounting connection INNITI
l) Disable unused services

no service pad
no service dhcp
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no ip finger
no ip http server
no ip http secure-server
no ip bootp server
no ip source-route
no cdp run
no ip tftp source-interface
no ip ftp source-interface
no ip ftp username
no ip ftp password
no ip rcmd rsh-enable
no ip rcmd rcp-enable
no ip identd
no ip ___domain lookup

m) Keepalives for TCP Sessions

service tcp-keepalives-in
service tcp-keepalives-out

n) Configure Logging Timestamps

service timestamps debug datetime msec localtime show-timezone


service timestamps log datetime msec localtime show-timezone

o) Password management

service password-encryption

You might also like